ModSecurity is a web application firewall (WAF), which controls output, input, and access to an application or service. With more than 70% attacks being carried out at the web application level, enterprises need to make their systems secure and they require all the help they can get. WAFs are set up to create a more effective external security layer, which helps in detecting and preventing attacks prior to their reaching web applications. ModSecurity offers protection from a number of attacks against web applications, allows real-time analysis with almost no change to the existing infrastructure along with HTTP traffic monitoring.
HTTP Traffic Logging
Web servers are generally well-equipped to document traffic in a style that is useful for marketing analysis, but are not able to log traffic to web applications. Most of them are not capable of logging request bodies. Your competitors understand this and that is the reason most attacks are now being carried out through POST requests, which render your systems blind. ModSecurity makes complete HTTP transaction logging possible, allowing all the responses and complete requests to be logged. The logging capabilities also allow critical decisions to be made about what is being logged and when, making sure that only relevant data is being recorded. As some responses and requests contain critical data in certain fields, ModSecurity can be set up to cover these fields prior to their being written to the audit log.
Real-Time Audit and Attack Detection
Along with providing logging facilities, ModSecurity monitors HTTP traffic to detect real time attacks. In such as situation, ModSecurity works as a web intrusion detection tool, which allows you to respond to doubtful events, taking place in your web systems.
Avoiding an Attack and Virtual Patching
ModSecurity acts immediately in case of an attack and prevents it from reaching your web applications. Following are three approaches which are used:
• Negative security model: This model checks requests for unusual behavior, anomalies and usual web application attacks. Anomaly score for each request is kept, along with the application sessions, IP addresses and user accounts.
• Positive security model: This models accepts requests that are valid and rejects everything else. This model needs to have the knowledge of the web applications you need to protect. This kind of model works best with applications that are used regularly but are rarely updated. This minimizes the maintenance of the model.
• Known vulnerabilities and weaknesses. The rule language of ModSecurity makes it an ideal external patching tool. External patching or virtual patching is all about decreasing the window of opportunity. Time required to patch application vulnerabilities often runs for weeks in lot of organizations. ModSecurity patches the applications from outside, without doing anything on the application source code, making your system secure, till the application goes through a proper patching.